Cisco Secure ACS for Windows NT/2000 version 3.0 servers is designed to be modular and flexible to scale from simple to complex networks. Cisco Secure ACS includes the following service modules:
CSAdmin
CSAdminis the service for the Cisco Secure ACS internal web server that eliminates the need for a third-party web server. Once installed, Cisco Secure ACS must be configured from its HTML interface, which requires that CSAdmin be running. CSAdmin is a multithreaded application allowing multiple administrators to access it at the same time. CSAdmin is best for distributed, multiprocessor, and clustered environments.
While starting and stopping the other services from within the Cisco Secure ACS HTML interface is possible, this doesn’t include starting or stopping CSAdmin. If CSAdmin stops abnormally through an external action, Cisco Secure ACS is only acces-sible from the Windows NT/2000 server on which it’s running. CSAdmin can be started or stopped from the Windows NT/2000 Service menu.
CSAuth
CSAuthis the authentication and authorization service used to permit or deny access to users. CSAuth is the database manager that determines whether access should be granted and defines the privileges for a particular user. Cisco Secure ACS can access several different databases for authentication purposes. When a request for authenti-cation arrives, Cisco Secure ACS checks the database configured for that user. If the user is unknown, Cisco Secure ACS checks the database(s) configured for unknown users. The database options include the following:
• Cisco Secure ACS user database The fastest option involves locating the user name and checking the password against the internal Cisco Secure ACS user database, as depicted in Figure 4-2. This avoids any delay while Cisco Secure ACS waits for a response from an external user database.
• Windows NT/2000 user database CSAuth passes the user name and password to Windows NT/2000 for authentication using its user database.
Windows NT/2000 then provides a response approving or denying validation.
Figure 4-3 represents Cisco Secure ACS using the network OS security database to authenticate users.
• Novell NDS option Uses the Novell NDS service to authenticate users. Cisco Secure ACS supports one tree, but the tree can have multiple Containers and Contexts. The Novell requester must be installed on the same Windows server as Cisco Secure ACS.
Figure 4-2 Cisco Secure ACS using its own database to authenticate users
PARTII
• ODBC Open Database Connectivity (ODBC)–compliant SQL databases use the ODBC standardized API developed by Microsoft and are now used by most major database vendors. A benefit of ODBC in a web-based environment is easy access to data storage programs, such as Microsoft Access and SQL Server.
• UNIX passwords Cisco Secure ACS includes a password import utility to import passwords from a UNIX database.
• Generic LDAP Cisco Secure ACS supports authentication of users against records kept in a directory server through the LDAP. Both PAP and CHAP passwords can be used when authenticating against the LDAP database.
• Token Card servers Cisco Secure ACS supports token servers, such as RSA SecurID, and SafeWord AXENT, and any hexadecimal X.909 Token Card, such as CRYPTOCard. Cisco Secure ACS either acts as a client to the token server or, in other cases, uses the token server’s RADIUS interface for authentication requests.
Figure 4-4 shows the Token Card server interacting with Cisco Secure ACS.
When the user authenticates using one of the defined methods, Cisco Secure ACS ob-tains a set of authorizations from the user profile and any groups the user belongs to.
This information is stored with the user name in the Cisco Secure ACS user database.
Some authorizations are the services the user is entitled to, such as IP over PPP, IP pools from which to draw an IP address, access lists, and password aging information. The au-thorizations, with the authentication approval, are then passed to the CSTacacs or CSRadius modules to be sent to the requesting device.
Figure 4-3 Cisco Secure ACS using Windows security database for authentication
CSDBSync
CSDBSyncis an alternative to using the ODBC dynamic link library (DLL) to synchronize the Cisco Secure ACS database with third-party RDBMS systems. Because version 2.4, CSDBSync synchronizes AAA client, AAA server, network device groups (NDGs), and proxy table information.
CSLog
CSLogis the service that captures and places logging information. CSLog gathers data from the TACACS+ or RADIUS packet and CSAuth, and formats the data into the comma-separated value (CSV) files that can be imported into spreadsheets supporting the format.
CSMon
CSMonminimizes downtime in a remote access network environment. CSMon works for both TACACS+ and RADIUS by automatically detecting which protocols are in use.
CSMon performs four basic activities:
• Monitoring Monitors the overall status of Cisco Secure ACS and the host system it’s running on. It uses the Windows Event Log and Performance Monitor to monitor overall system health, including disk, CPU, and memory utilization.
• Recording Records and reports all exceptions to a special log file that can be used to diagnose problems.
Figure 4-4 Remote user authentication using Token Card
• Notification Alerts the administrator to potential problems and real events regarding Cisco Secure ACS, and records all such problems. The default notification method is Simple Mail Transfer Protocol (SMTP) e-mail, but scripts can be written to enable other methods, such as pager notification.
• Response Can be configured to attempt to fix detected problems automatically and intelligently, such as running scripts to restart stopped services.